Dealing With Teen Apps In Digital Forensics

Read a full transcript of the webinar here.Welcome to Paraben’s webinar on smartphone evidence, [teens] and their apps that they use. I’m Amber Schroader at Paraben Corporation and I’m going to be guiding you through this webinar, showing you the E3 platform and processing popular apps used by teens.

Before we started the webinar, we have acquired our different devices. I’m going to focus, instead of just on iOS devices, we’re going to focus on Android and we’re going to focus on our Android 2, which is a logical image, a media card image, and a cloud image. The other Android and iOS devices that are available for this webinar, if you’re interested, you can email us and we’re happy to provide them to you. And you can actually go through and practice and process this data.

When I acquired these devices, what I did in the acquisition process is I selected the option on the right, which is my Android Logical option, but as I do according to my standard operating procedure, I always process also the media card as a physical item. It’s an important procedural step that you have to adjust and make sure that you’re doing with all different types of Android devices that do have the media card option.

When I did my logical option, I selected the Full Logical option. There’s two other options that are available, depending on the type of Android device – you can do a Physical Acquisition of the device, and you also have an option to do a Custom Logical Acquisition. This option is if you want particular features when you have a limited amount of time and access to the device. This is great in a consent situation where people usually have about a 20-minute window where they’re willing to give consent for you to look at their device. It allows you to focus that acquisition on those particular items in those 20 minutes. So, in this case, where we’re focusing on apps, it would allow you to acquire just the apps from the device, and then you could ignore the other items. So, you’ve made sure you got the most data that you were interested in, in that window of time.

When you do the options for selecting, as you see in the far panel, we have the different options you can select with that custom acquisition I was just mentioning. And then, with the logical acquisition, this is our most common acquisition that people are doing with smartphone devices, that gets you both active and deleted data. In iOS, this is the most common option that everyone does. So, you’re processing, typically, backup records – that’s still logical image, but you can get deleted data. And then, with Android, this is also the most common option, which also will give you different amounts of deleted data, depending on which firmware the device has.

With physical acquisitions, I mentioned that I do that with my media card. Every Android that has an attached media card, you should always make sure that you process it physically, because this allows you to see it in its native file system, as opposed to seeing it through the Android device itself. I have a separate media card reader that I’ll place the media card in, and it’ll add that into my acquisition. So, when I look at my overall case, as we’ll see in a minute, you actually see all that data together. The custom acquisition is for selected features – limited time, as I had mentioned. And then of course, physical acquisition – we do this a lot with locked devices, because it allows you to do a bypass of the locks on the device. You can work with specific chipsets. So, in the case of the E3 platform, we’ll be able to talk directly to the chipset, and that bypasses the password, and then you can do a full physical acquisition.

Once you get into the data acquisition, it’s always a good thing to note that you have the ability to reference the help file at any time. And then, it gives you examples of what you need to have set on the device in order to get a successful acquisition.

Here’s your processing stage – since I’ve done all this ahead of the webinar, I’m going to just show you some examples of it, where you see the different things as they complete. You get a notice that says it’s successful, and then it has the separate options, such as Installed Applications.

Before I did the processing for this webinar, I also did some pre-processing or analytics ahead of time. I sorted the data. This is a function that you see in the E3 platform, where we divide the device into logical categories such as graphics, multimedia, documents, email messages, and we put them in different categories for you to be able to reference the data by its header, and immediately see that information. The second thing I did is I indexed all the data associated with my image. I do that with all types of images, whether it’s computer images or mobile images, with the E3 platform, to make sure that I’m going to optimize the amount of time I spend on my analytics.

As part of that indexing process, you also have the ability to do an OCR, so you can do an optical character recognition. I find this particularly valuable when we’re working with mobile devices, because many people, when they’re using their mobile phone, they like to make sure they take a picture of the item they might be interested in. That textual item can then be captured in your index, and then, when you search, you’ll get the items outside of that image. So, OCR is one of those critical features I find with smartphones.

Then I have to carve my data out of unallocated memory. This is part of the process associated with using the sorting engines and some of the analytics that we do ahead of time, to make sure when I do look at all of the multimedia, if the multimedia was inside an MMS message, I can see the message and the media, and when I look at either of those categories, I’m able to see that data comprehensively.

Then, finally, the last part is we do our app parsing, which is what we’re going to focus on. We can do this with multiple types of acquisitions, so whether I’m doing a logical or I’m doing a physical acquisition, I can parse the apps associated with it. You do have access to the file system that is required to be able to see the apps, because many of the apps are existing there. You should also note that many different app versions will change whether or not an app is parsed or it is unparsed. The unparsed still allows you to see the data associated with it. And then, the last thing is to make sure that you look for cloud keys, which is why we’re going to reference that as well, because many of the apps are moving to cloud storage, to make the job of updating those apps for the different firmware versions easier.

When we look at apps, we look at apps in two different ways. My image of the parsed data where I have the neatly lined up chairs, that’s a perfect world where all of my app is parsed by my tool, it’s done all the work for me, I see all the references to the account, messages, conversations, all of that information is put in there, in an easy-to-read form. Most of the time, we have days where it’s like the unparsed data, where we see just a pile of chairs, and it’s then our responsibility as investigators to break up these chairs and make them so they make sense based on that app. That’s when we’re referencing different databases in the app and making sure we’re understanding when we see the messages, when do we see the images that go with those messages.

And that’s when we’re matching up different details in the SQLite databases often, to make sure we’re understanding the apps. There’s a good general note about all apps, and that is they really try to make sure, no matter what the app is, that the data associated with the account of that particular app is typically kept in an unencrypted form, so it’s in a plain text form, which allows you to almost always get at least that bare bones information, no matter what type of app it is and no matter what type of acquisition you’re getting.

Now we’re going to get started by looking in the E3 interface. I’m going to do a basic preview of what the interface has. Over to our left here, we have the tree view, as we see the different pieces of evidence, as I’ve mentioned, in my acquisition. I’ve had three types of acquisitions that I completed. So, I processed the device’s media card, which is what we see here. I have the device’s cloud data, which I see here. And then, I have my primary logical acquisition, which is this section down here. As I mentioned in my prior description, we also have our sorted files, when we have our sorted files, these are the different files, as we see, broken into different categories. For example, if we look at Graphics here, we have over 10,000 different graphics we want to see. So, we have the binary data associated with them, and if I want to actually view those graphics, I have my viewer associated with this window here.

In addition, we have different tabs associated with the E3 interface. We have our Evidence tab – this is the first step of the process, which are the different types of evidence I can add? When I did my acquisition, I did it through this section here. And I processed the data into my case through here. Then I have my analytic choices that I wanted to process with them. I have the choices like my Content Analysis wizard, which, I can also access any one of these options here on my right-click.

Since I’ve already run all of my content analysis, I don’t need to run it again. I also have all of my searching options here, which we see – I can sort – search just by sorted categories. If I know I’m looking for a document, I can take sorted category and I can look just in the documents there. I can go and look at my keyword for any basic words that I have. I can look in particular items associated with things, like email. I can also go through and do an advanced search here, which allows me to do things like a Boolean expression, as you see here, where the Boolean expression just has to be in all caps. I also have other searching options, such as a regular expression or a simple search. I can do things like match my case, and I also have options to pick different locales.

There’s a huge amount of different languages that are supported, and you can add those into the tool for the different language packs, as you see here. There’s over 150 different languages that you can actually search with, and you just have to add that in as well. And then I have the option to search by hex in addition.

One of the nice things I have with mobile devices … and anyone who’s doing a lot of different child exploitation cases that you have specific words you look for every time, you can add in a text file of those words, so it makes it very easy to upload that, or we also have, from a research project done in the United States, a child exploitation search term list that was done by a variety of different universities, of common terms that you might see. [10:49] I don’t have that file.

So, now we’re going to look at the apps. These are all the basic functions … and of course sorry, I did not mention, the last function of course is our reports, which is our last thing that we look at when we’re doing our case. Since we’re going to focus primarily on apps, I’m going to close out some of these little individual areas, and we’re going to look at the basics associated with our app.

When we look at a smartphone, we have of course the basics of the logical image where we see things like the file system, the call history, contacts, media store, calendar, etc., some of the unique things that you see in the E3 platform are the authentication data file. This is something that Paraben finds, this is how we collect the keys associated with someone’s cloud account. We add them into an authentication data file. So, this is our indication to you that you have available cloud data for you. The other thing we do is we collect all of the application data and we make it very easy for you to reference. So, in our installed applications, we have application data, we have our installed application list, and we have application permissions.

When I’m reviewing installed applications – I’m going to expand a few areas here, so we have just this on focus – I have, first, a full, comprehensive list of all the different apps associated with the device. This is a great way to get an idea, what do we know about our teen and what apps might they be using.

We see some common, popular apps on here, such as Instagram, Kik, Facebook Messenger, Snapchat, Whisper, and a variety of other ones, Meetup, MeetMe, Pinterest, etc. We see all of those associated with the list here. When we want to review them, it’s automatically parsed by whether … or sorted, sorry, by whether or not it has a parsing or not-parsing associated with it. So, let’s look at a parsed app that’s very popular. Let’s look at Snapchat.

Over here, I have parsed application data. I’m going to expand this out a little bit. That’s telling me I can just click here and it’s going to immediately take me into a parsed app associated with Snapchat. Like I mentioned, with most apps out there, you get the account information, so if I want to see the basics, information on my user – so, their display name is Jenna Thompson, as an example, how many snaps they received, if they can receive snaps from strangers versus just friends, as an example, that would be valuable associated with a teen. I can also see their friend list, and you see I just went back over to my left navigation bar to be able to see that particular data. My main viewer is then refreshed with the information I select on the left-hand side.

So, I see a variety of different friends that are associated with my user Jenna or my suspect Jenna, whether or not they are a friend, are they a best friend, and mark this as settings that the user has selected, whether they’ve ignored them, following them, or they’re hidden or not. We have their sent snaps that they have and who they went to as well as the status associated with them. So, when I look at the sent snaps, I have … it was going to a michaelderr15, and the date and time stamp associated with that.

I also then can expand my received snaps. When I look at received snaps associated with Snapchat I get slightly different information. I get different statuses associated with them, because the way that Snapchat works is of course I have a snap of time that I get to review the data associated with that chat. So, we see a status where it’s not viewed and not loaded, as an example, or loaded and not viewed. Which is whether or not it was available and loaded into the device and whether or not the user has selected it. And then it has a set display time that they expected for this snap to be run. So, all of these are done from teamsnapchat, but the last one here, we have from our same person that we saw our snap with earlier, which is michaelderr15, which was loaded but it was not viewed yet.

Then, we also have things like stories. Stories are short snippets of information that we’re sharing in different apps. Many apps now have stories associated with them, and they have them separated out as different sections of the app. So, it’s not in the primary chats, for example. We see that stories have a separate category. So, this one, it’s a girls’ movie night, it has its display time of three seconds and it was an image associated with it, and a link to it. And then, the next section we have here is of course our chats that happened back and forth, which are actual textual conversations. One of the nice things associated with this is whether or not you’re keeping the image in Snapchat, since Snapchat is notorious for actually removing the image, a lot of times, the textual data of that image or the overlay associated with it, of any comments that you might have added to it, are actually kept while the image itself might not be. So, you’re still able to get partial information associated with Snapchat.

And then, our final section that we want to look at is recovered data. It is really important, when you’re dealing with smartphones, that you reference any data that you get back, instead of calling it as deleted data, you want to call it recovered data, especially with apps, because many times, the app itself will go through and actually do the notification that says whether or not the data is active or inactive, or recoverable or active. And it does the flag. It’s not the user that’s actually setting up these preferences, it’s actually the app itself. So, with Snapchat, we see data that’s available, such as recovered chats and recovered friends. So, these were all the friends that they decided that they were no longer deciding to be friends with, and they have since moved on or they quit following them, different status changes such as that. Those are some of the basics of Snapchat.

If I go back to my installed application list and I find another app that I want to take a look at … so, I see something like Kik, which is a very popular one. I see that this is also a parsed app. But we see the data is different. So, I have something called Conversations. We know that that’s probably the primary function of this app. So, we have conversations or chats, back and forth, with the Kik team, and then we also have a whole bunch of different conversations associated with one particular user, which is Holden Davies. And we see the text preview of all of that conversation going back and forth. So, we know that we can get all of that information and we can then check to see, is Holden one of our members, of our contacts, which is also stored with Kik. And we can see, are we seeing different information like that? Do they have a different screen name than just their regular name? And he does – he has ridethelightning6969.

So, we know his actual username is Holden Davies, and then his chat name is ridethelightning6969. And then, once again, we get that lovely information, which I like to call forensic sprinkles, which is our recovered conversation. We know that we can get that data back.

There are a variety of other apps that exist on this particular device that are popular with teens, and again, if anyone wants to review this, they’re welcome to contact us and we’re happy to provide the image. We see things like Instagram, where we have media, we have our account associated with it.

Again, that’s that nugget of information that’s available with every app that we have. We have our cash media, since Instagram is primarily graphics, associated with it. And the data we want to see, associated with those different graphics. If I want to navigate to those files, I can do so. But these are the different images that will come up. Most of the time, we’re looking for different things, like our conversations, again, that we’re having with our different users. So, we have two different people here that we have, Jenna talking to glossypen, we have Jenna talking to Holden Davies again, so that makes sense. We had him in our Kik conversation as well. Talks about, then, watching other things that we will follow, like “Would you like to vid chat?” etc., and then, other people that we have associated with it. Within our conversation lists, you will also see it broken down in different databases, so we know all the conversations that happened between Holden Davies and Jenna Thompson. We have those forensic sprinkles again, with our recovered messages, and then our recovered conversation list as well.

One of the text string searches I always like to do when I’m doing any type of smartphone analysis is I always like to look for the word ‘conversations’. It’s not a common textual word that we might chat to one another, but it is a very common area for different databases to store the conversations as. So, with that full-text index that I mentioned in the beginning, I will make sure that I get to pick up that information from a variety of different apps, simply by looking for a different word than I might traditionally, which is looking for the word ‘conversations’.

So, let’s look at some of the other information we can find with our apps. When I’m looking at app analysis, I always want to pay attention to my version number, because that’s going to tell me whether or not the app is going to be supported, is it current, I can always go to that particular device manufacturer – so this is an Android. I will go to the Google Play Store, and I can look up Instagram and see if this same version that is on my device is the current version. And there’s always a record in the App Store as well that tells me the different features and access points associated with that app. So, I know if it has a particular feature. So, in this version of Instagram, did they allow pictures that are shared back and forth in conversations to be automatically deleted? And it will tell me that rundown of the app in the App Store. So, it’s always wise to go and look there.

I also see things like the internal name, if I want to search by that in my index. I see the category, which is the category that it exists in the app store, which is what you see here. I see the manufacturer, which is something we’re going to talk about, why it has value to us, in just a moment. This is whether or not it’s parsed directly in my tool. And then, I have the location of the raw application data. This is hugely valuable if you want to cross-reference and cross-validate. You know the exact location, so if I acquire this device with two tools, as I normally do in my lab, I know exactly the location that I can look for, for that app data, despite how the tool sees it. So, I can navigate through the file system directly, look for those databases, and see if I find the same information.

In addition, I have permission, which I’m going to show you that on a different list, and then I have whether or not it is suspected of malware. The reason we have this for you is because that is all based on those permissions. As we get more and more malware introduced into mobile devices, it’s important to understand how each of those apps works and communicates back and forth, and so, we rank those. Each one of these columns is also sortable, so if I want all the low suspect items together, I want the suspect items together, then all I have to do is sort those different categories. Let’s look at how we actually come about that information. I move from the installed application list on my left to the application permissions.

The application permissions is part of how I determine whether or not something is going to be malware. Because based on how many different permissions it has in the device, it’s going to tell me whether or not it could actually introduce malicious code or malicious items into my device. So, one of the first things that I look at when I’m looking to determine if an app has potential malware is I look at the source that it came from. Google Play has introduced, in the last couple of firmware updates, the ability to actually scan apps for potential malware, so it’s kind of doing its own anti-malware scanning. But in order to do that, one of the ways that it checks is it checks to see what market that particular app came from. When they have apps that come from unknown sources, that’s one of the signs that this potentially could be malicious, and so you want to make sure you check and watch those particular apps. If it comes from the Google Play market, typically it goes through some type of process to make sure that it is not malicious in the introduction into the device itself.

The other thing we look at is we look at the permissions. I do this as well in a different variety of cases besides just malware analysis, if I have someone – since we’re talking about teen apps – that claims that someone is watching them. I always check and see if there is any potential apps that could be having access to those particular functions on the device that they are claiming are causing them issues, like they’re having random pictures sent to them that they took and they didn’t share with anyone else. That’s when I go through and say, okay, which apps on this device have access to the camera.

So, as I scroll to the right here, we see our traditional ones and zero – one if it’s active and zero if it isn’t, as far as keeping that information. And you see things like modify the phone’s state, capture audio output. If I want to find all the apps that can capture audio output, all I have to do is then sort this list. Let me sort it. And see if there are any on this particular device, which there’s one that has access to that function, app … and we see it’s Google Play Services. Which makes sense – Google Play Services will almost come up as malware by every rule you have, because it has access to everything on the device. So, that makes sense, it would come up in this case. But as I scroll through the side here, I can see all the variety of different settings that I can look for when I’m doing app analysis to make sure that I’m understanding the metadata associated with the app and what impact it can actually have on my device and my investigation.

Let’s move from looking at the internals associated with the app, which we see in the application permissions here, back to our installed application list. On this particular installed application list, we have 45 different apps. And if we look over here, not every one of our apps is parsed. Many of the popular ones are based on the version they are, but a lot of them aren’t. So, I want to go through and look at particular information. So, we had a couple of different ones down here that are pretty popular, which is MeetMe, which is a popular for teens. All I have to do is highlight that particular row … close that … and I’m going to pull over here. Since I know it’s not parsed, because it tells me here it isn’t, I want to go through and I want to look in the actual app internals myself. So, all I have to do is click there. Once I’ve done that, the E3 platform has then navigated me to their raw databases associated with that app. So, I have information such as the cache, the files, etc., databases, always a good sign whenever we want to look for apps.

Another way, if I want to find a quick reference to all the apps on the device, is if I go back to my Sorted Files tab, I see I have one of my categories here, which is databases. And right here, we see a variety of SQLite databases. That’s a great sign for me, because that’s a really easy way, if I want to just look at the SQLite databases, my tool has gone through and found all that information for me. And then I can sort it by size and start with some of the larger databases first, hoping that they might contain the most information that I need on my apps. If I go back to my case content, I can go through and manually look at any one of these sections. If I open up my databases … I always like to sort on this column, together, so I keep all my SQLite databases together, and I find information in here such as chats – that’s a good sign. I open the raw SQLite database and the tables, and then I see other keywords that I had mentioned earlier.

So, I have messages and conversations, members. These are all different things that are going to tell me more information about this app and if my user was using it, so I become the parsing engine. So, if I want to open messages, I open this table, I have a variety of information. I always have references. Here, in my database, again, it’s very tidy. And then, if I scroll over to the right here, I have … it’s a text message. I have a date-time stamp associated with it, and then I have the body of the actual messages. So, we see that I have all the send … been able to find the same information I did that my tool was doing for me, I’ve been able to find it all manually, just as easily.

So, “what do you like”, “I can give you my snapchat”, so I know they’re moving from this app over to Snapchat, and I can kind of map what my individual suspect might be doing in each individual app. Many times, we find that it’s impossible for any tool to parse 100% of the apps out there, because there are millions and millions of them. So, one of the things you want to make sure you watch for is knowing and understanding how to do that manually, especially because so many apps are SQLite-based.

Once I go through and I process these apps, I can say, okay … so I find valuable information, if this is something I want to do, this is important to me, to find out how this person was, was a big part of my case. I can then bookmark that selected data, I can say “How are you” as my bookmark name, and then I have my bookmarks stated over here.

These are just some of the basics, and the easiest way to go through and look at apps. Again, one of your important things to remember is that no matter what, you get basic information on the apps, such as the account, even if the rest of the app is encrypted. And never give up on an app just because it isn’t parsed by your tool. It doesn’t mean you can’t manually find great pieces of information, like the 331 text messages that existed separately, that I parsed using a SQLite parser that is built into my E3 platform. If your tool does not have a SQLite parser, there is also a free plugin you can add into Firefox that will allow you to parse SQLite databases. You can export it out of whatever your image may be, drag and drop it on to Firefox, and process it there.

The final step, if I were doing a full case examination, besides being able to look at my variety of different apps here – I’m going to close those out – is make sure I also look at the apps associated with the cloud. So, I’m going to open my cloud storage here. If I were going through and actually importing this cloud information, I would go back to that authentication data file, as I had mentioned earlier. I have to export this outside of my case because technically, it ends up being a new piece of evidence associated with my case. So, I’m going to export that cloud key, I get a status notification saying it was completed successfully, and I go up to this cloud import option. All I need to do is pull up this separate wizard. I’m going to add my authentication data file. I go back to my desktop, where I exported it. And I’ve imported it. At this point, I’ve actually not talked to the cloud. All I’ve done is interpret that cloud authentication data file to show me what apps were available with those cloud keys.

I see similar accounts here. I have Jenna Thompson as well. I see that I have access to Google Locations, Google Mail, Gmail, Google Drive, and I have their Twitter. As soon as I select this Authenticate button down here, that is when I actually go through and I query to the cloud. So, if I authenticate, this is going to tell me if each of these keys is still valid and successful for me to be able to use them to log into the cloud and acquire that data. If I hit Continue, I now have different options associated with my acquisition. So, if I am only allowed to have data from a particular date range, I can do that with this limitation up here, or if I want to have everything, I can just leave it with the default settings. As you navigate to each individual app, you see that the available data over here changes. So, if I’m not entitled to the conversations on Twitter, or that’s all I’m entitled to, I can adjust my settings accordingly.

Then, I select to import that option. And this is when the actual acquisition process is going through and it’s going to capture that data, and then, what we’re going to have is a new item added to my tree over here, because it’s a new piece of evidence and it’s going to be added, that allows me to look at that separate data.

Instead of finishing my full cloud query, I’m actually going to cancel it. And then I’m going to look at the data over here. So, now I have my Gmail, my Google Drive, and my Twitter information. If I wanted to look at their email inbox associated with Gmail, I have all of her inbox and I can look at that with the same viewers – alright, that’s my cancelling – as I had before. And I can see things such as the email for the subject line, etc.

You’ll see over here that it updated because I had cancelled that acquisition, so it has a separate cloud to import. I’m going to go back and open my tree view over here, just where we were, so you can see that information. So, inbox, any chats that happened, the chat list, etc. I particularly like to look for Google Drive, because that is a primary backup location associated with Android devices. So many people use that to actually keep their data separate. It’s a great way that teens use it, to make it so they just store the data in Google Drive, so their parents can’t see it on their device. So, don’t take an app like that for granted. They have different ways of using it than what you might conventionally use it for.

The last part of my case that I would do is I take all this information and, just to give you an example, I would run a report. I’m not going to run a report on this one, but I can show you an example of a report and what it would look like.

As you can see with the report, I’ve got a lot of good information. I have my examination summary, I have my basic device information associated with it, I can have any of my case data summary, and again, my installed applications, the same that I saw them in my tool, so it’s great if I’m working with different parties – they get the basic information they need and any of those installed applications. And then, we have great information as well associated with individual details, such as contacts, calls, which we have the ability to see those in a variety of different functions. So, we have like timelines, etc. And we have these same type of options available associated with the different individual app data, so that if I wanted to have my Kik messages, any of that data that I chose to bookmark or include in my report, I see it broken down individually, so I can see those conversations going back and forth.

Thank you for joining me for this quick webinar on how to use the E3 platform and basics of getting all of your different information through your different installed applications on the device. Make sure that you take an opportunity to practice and do more and more processing. Always check your app store for the latest features associated with it. And one of the most helpful pieces of advice that I can offer is make sure you follow the different apps on social media. If you want to know when an app changes, then the best thing to do is to follow the app on Snapchat, to follow the app, Whisper, Kik, etc., because they will announce it out on social media prior to having it launched out live. In that way, you’re able to keep track of when was the last version that Snapchat added a new feature, with location data, I know it matched up … I keep a little log of the different apps out there in my lab for an easy reference, to make sure I always know exactly what’s happening.